HeapLAB - GLIBC Heap Exploitation

4 Day u_long 32 CPE Hour Training: August 2020

AUG 8,9,11,13 [click for important details!]


For nearly 20 years, exploiting memory allocators has been something of an art form. Become a part of that legacy with HeapLAB.

The GNU C Library (GLIBC) is a fundamental part of most Linux desktop and many embedded distributions; its memory allocator is used in everything from starting threads to dealing with I/O. Learn how to leverage this vast attack surface with more than 10 different heap exploitation techniques, from the original "Unsafe Unlink" to the beautiful overflow-to-shell "House of Orange" and eventually to the cutting-edge "House of Corrosion". In this hands-on course, students will alternate between learning new techniques and developing their own exploits based on what they've learned.

Suggested Combo: Introduction to 64-bit Exploit Development

Key Learning Objectives

  • Introduction to the GLIBC memory allocator: "malloc"
  • The history of GLIBC heap exploitation
  • Understanding and bypassing different heap exploit mitigations
  • Hijacking the flow of execution with heap exploits
  • Leaking information with heap corruption
  • Learning the "Houses" of heap exploitation
  • Scripting heap exploits with pwntools
  • Debugging heap implementations with GDB

Who Should Attend

  • CTF team members who want to take on Linux heap challenges
  • Linux exploit developers who want to add another string to their bow
  • Anyone interested in "weird machines"


Session 1

  • An introduction to GLIBC and its memory allocator
  • GLIBC heap exploitation history
  • Tools of the trade
    • GDB and pwndbg
    • The pwntools library
  • The "House of Force" technique
    • The malloc() function
    • The "top" chunk
  • Hijacking the flow of execution
    • Malloc's hooks
    • "One-gadgets"
  • The "Fastbin Dup" technique
    • The free() function
    • Malloc's fastbins
    • Arenas
    • Defeating the fastbins double-free mitigation
    • Dealing with the fastbins size field check
  • CHALLENGE: "fastbin dup 2"

Session 2

  • The "Unsafe Unlink" technique
    • Malloc's unsortedbin
    • Chunk coalescing
    • Defeating the "safe unlinking" checks
  • The "House of Orange" technique
    • File stream exploitation
    • The "Unsortedbin Attack"
    • Top chunk extension
    • Sorting
  • Info leaks via the heap
    • Leaking heap addresses
    • Leaking libc addresses
  • CHALLENGE: one-byte
    • Leverage a one-byte overflow against a modern pwnable

Session 3

  • The "House of Spirit" technique
    • Passing corrupted values to free()
    • Designing fake chunks
  • The "House of Lore" technique
    • Poisoning the unsortedbin
    • Poisoning the smallbins
    • Poisoning the largebins
  • The "House of Einherjar" technique
  • The "House of Rabbit" technique
    • The malloc_consolidate() function
    • Moving fake chunks between bins
  • Project Zero's "Poison Null Byte" technique
  • CHALLENGE: poison null byte
    • Leverage a single null byte overflow against a modern pwnable

Session 4

  • The "House of Corrosion" technique
    • Reviving the "House of Prime"
    • Defeating libio vtable integrity checks
    • Leveraging partial malloc metadata overwrites
    • Triggering file stream exploits via failed asserts
  • The Tcache
    • The "Tcache Dup" technique
    • Defeating the tcache double-free mitigation
  • CHALLENGE: "tcache troll"
    • Leverage a double-free against a modern pwnable
  • BONUS CHALLENGE: "optimize"


  • Confidence using command line tools
  • Some basic Python scripting skills
  • Familiarity with a debugging environment e.g. GDB

Hardware Requirements

  • Laptop - powerful enough to run VMs
  • 8GB RAM minimum
  • 35GB free HDD space minimum
  • USB-A slot or dongle to copy VM

Software Requirements

  • Windows / Linux / macOS
  • One of the following virtualization suites:
  • VMWare Player
  • VMWare Workstation
  • VMWare Fusion
  • VirtualBox
Max Kamper

Max Kamper

COVID19 Price: Register Now

Max Kamper is a researcher and exploit developer. A former Royal Marines Commando, Max was a member of the Information Exploitation Group's electronic warfare squadron. Having traded radio signals for process signals, he now specializes in exploit development against Linux platforms. Max is also the author of the ROP Emporium website, a resource for learning practical x86 return-oriented programming.